#!/bin/bash

process_code_tamper() {
    pid="$1"
    if [[ -z "$pid" ]]; then
        echo "用法: $0 PROCESSCODETAMPER <pid>"
        exit 1
    fi

    if gdb -q --batch -ex "attach $pid" -ex "info files" >/dev/null 2>&1; then
        echo "进程 $pid 的代码完整性正常。"
    else
        echo "进程 $pid 的代码可能已被篡改或无法访问。"
    fi
}

kernel_key_data_tamper() {
    suspicious_files=("/proc/sys/kernel/random/entropy_avail" "/proc/sys/kernel/kptr_restrict")
    tampered=0

    for file in "${suspicious_files[@]}"; do
        if [[ ! -f "$file" || ! -r "$file" ]]; then
            echo "关键数据 $file 无法访问或可能已被篡改。"
            tampered=1
        else
            echo "关键数据 $file 正常。"
        fi
    done

    if [[ $tampered -eq 0 ]]; then
        echo "内核关键数据完整性正常。"
    else
        echo "内核关键数据可能已被篡改，请检查。"
    fi
}

case "$1" in
    PROCESSCODETAMPER)
        process_code_tamper "$2"
        ;;
    KERNELKEYDATATAMPER)
        kernel_key_data_tamper
        ;;
    *)
        echo "用法: $0 PROCESSCODETAMPER <pid> 或 $0 KERNELKEYDATATAMPER"
        ;;
esac
